geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Bartel <j...@mortbay.com>
Subject Re: [security] Authentication mechanism
Date Thu, 27 Nov 2003 20:30:31 GMT
Hi Alan,

The web.xml file contains security statements that
1) define some role name mappings (role-name/role-link)
2) define which roles are permitted to access resources

These then get translated into Permissions by the 
PolicyConfigurationWeb.commit() when the web.xml is deployed.
Fine so far.

Now, when a servlet calls the method isUserInRole(role) on a HttpRequest 
we need to determine whether the call is executing on behalf of an 
(authenticated) user who is able to act in the role specified. Pre-JACC, 
this has been accomplished by matching the role argument against the set 
of roles associated with the user which were retrieved by the 
LoginModule when the user logged in.

With JACC, it looks like the impl of the isUserInRole (role) has to 
concoct a WebRoleRefPermission (servletname, role) and for the security 
infrastructure to check if that permission has been granted to the user 
(Subject). So, how does the security infrastructure perform that check? 
How does it determine if user X can act in the role Y? Doesn't it 
require some piece of code to convert a user's roles into 
WebRoleRefPermissions and associate them with the user's Subject?

Hope that clarifies my confusion a bit :-)

thanks
Jan

Alan D. Cabrera wrote:
> All the roles and permissions are in the web.xml.  What do you mean by
> the dynamic
> granting of roles to users?
>  
>  
> Regards,
> Alan
> 
> 	-----Original Message----- 
> 	From: Jan Bartel 
> 	Sent: Thu 11/27/2003 3:51 AM 
> 	To: geronimo-dev@incubator.apache.org 
> 	Cc: 
> 	Subject: Re: [security] Authentication mechanism
> 	
> 	
> 
> 	Just to add to my list of questions ...
> 	
> 	How does the current mechanism implemented in
> 	o.a.g.security.PolicyConfigurationWeb.commit() cope with the
> dynamic
> 	granting of roles to users? Looks like it is all set in concrete
> at the
> 	time of the commit(), or are the roles and permissions concerned
> those
> 	described in the web.xml?
> 	
> 	thanks again
> 	Jan
> 	
> 	
> 	
> 	Jan Bartel wrote:
> 	> I'm just taking a look at integrating the web tier security
> with
> 	> Geronimo security. I've got a couple of questions:
> 	>
> 	> 1.  When/who should call setMBeanServer on the
> 	>     GeronimoLoginConfiguration? Should I call it
> 	>     just before doing a LoginContext login() call?
> 	>
> 	>
> 	> 2.  What code is responsible for configuring the SecurityRealm
> 	>     instances? Should they be configurable from the
> 	>     security-service.xml file?
> 	>
> 	> 3.  I still can't work out where the mapping of the user's
> roles
> 	>     that are retrieved by the SecurityRealm are turned into
> permissions
> 	>     suitable for a HttpRequest.isUserInRole() call impl?
> 	>
> 	> Any pointers on any of these would be welcome.
> 	>
> 	> thanks
> 	> Jan
> 	
> 	
> 	
> 



Mime
View raw message